{
"$type": "site.standard.document",
"canonicalUrl": "https://johnnyreilly.com/posts/configure-azure-connection-strings-keys-in-azure-bicep",
"description": "Learn how to configure Azure resources like Azure Static Web Apps and Azure Container Apps with connection strings and access keys in Azure with Bicep.",
"path": "/posts/configure-azure-connection-strings-keys-in-azure-bicep",
"publishedAt": "2024-03-10T00:00:00.000Z",
"site": "at://did:plc:yy3apqjlms24kso7ahn7lbmb/site.standard.publication/3mova7c4nho2b",
"tags": [
"bicep",
"azure",
"azure container apps",
"azure static web apps"
],
"textContent": "Imagine you're deploying a solution to Azure. It'll feature some resources like a database or a storage account. How do can you configure your application with access to these resources? One approach would be using Managed Identity. Another approach is configuring the connection strings and access keys in our application's configuration store as the Bicep templates are deployed. This is a common approach when working with Azure Functions, Azure Static Web Apps, Azure Container Apps and similar.\n\nA wonderful aspect of this approach is that no human need ever get to see the connection strings / access keys. They'll be discovered and consumed by Azure during a deployment, and known to your application at runtime, but untrustworthy humans need never get to see them. This is secure, and therefore _good_.\n\n\n\nConfigure an Azure Static Web App with a connection string and an access key\n\nThe blog you are reading this on is hosted on Azure Static Web Apps and deployed with Bicep. It also has an Azure Cosmos DB database and an Application Insights instance. The Azure Static Web App has access to the database via its access key and has access to the Application Insights instance through a connection string. The key and connection string are supplied to the configuration of the SWA during deployment.\n\nLet's look at the Bicep configuration that deploys a database. Here's a snippet of the Bicep template:\n\nHere's a snippet of the Bicep template that deploys the Application Insights instance:\n\nGiven that both of these resources are deployed, we can reference them subsequently and acquire connection strings / access keys.\n\nSo when we're getting ready to deploy the Azure Static Web App, we are able reference both the database and the Application Insights instance. Here's a snippet of the Bicep template that acquires the references:\n\nWith those references in hand, we can now configure the Azure Static Web App with the connection string and access key. Here's a snippet of the Bicep template that configures the Azure Static Web App with the connection string and access key:\n\nI've slightly tweaked the code to make it more readable, if you'd like to see the full configuration of the Azure Static Web App in the source of my blog, you can find it here.\n\nYou can see the effect of this configuration in the Azure Portal. Here's a screenshot of the configured environment variables of the Azure Static Web App:\n\nConfigure an Azure Container App with a connection string and an access key\n\nWhat's hopefully apparent from the previous section is that in the end this amounts to injecting a string to the appropriate place in the configuration of the resource. This is true for Azure Container Apps as well. Here's a snippet of the Bicep template that configures an Azure Container App with a connection string and access key:\n\nThe mechanism is slightly different, as befits the different service being used, but the principle is the same. We're injecting the connection string and access key into the configuration of the resource.\n\nConclusion\n\nIn this post we've demonstrated how to deploy resources, acquire reference to them and safely configure Azure Static Web Apps and Azure Container Apps such that they can access the resources.\n\nThe pattern we've used here is generally applicable in the Azure world. The same technique can be used to configure Azure Functions, Azure KeyVault, and many other Azure resources. The key is to understand the configuration of the resource you're working with and to understand how to inject the relevant secrets into that configuration.",
"title": "Configure Azure connection strings and keys in Azure Bicep"
}